Re: Jabber Server?

[Adrian Reber <adrian lisas de>]

On Mon, Mar 07, 2005 at 10:11:16AM +0100, Enrico Scholz wrote:
> adrian lisas de (Adrian Reber) writes:
> >> [... jabber ...]
> >> 1) The default password is somehow securely handled.  I didn't read too 
> >> carefully, how was this resolved?
> >
> > A random password is created during installation.
> 
> mmh...

yeah, I know :-)

> |      export NEWPASS="$RANDOM-newpass-$RANDOM"
> |      cd %{sysconfdir}
> |      %{__perl} -pi -e "s,<secret>secret</secret>,<secret>$NEWPASS</secret>,g" router-users.xml
> |      %{__perl} -pi -e "s,<secret>secret</secret>,<secret>$NEWPASS</secret>,g" router.xml
> |      %{__perl} -pi -e "s,<pass>secret</pass>,<pass>$NEWPASS</pass>,g" *.xml
> 
> 1. the password is random, but not secure (only 32 bit); you could do
> 
>    | dd if=/dev/urandom bs=20 count=1 | sha1sum
> 
>    which creates an 80bit password

very nice idea. I will use it.

> 2. the new password is visible with 'ps'; when you add the dependency on
>    'perl' (dunno, if jabber really requires it), you could read it from
>    the $NEWPASS environment variable.
> 
>    But when 'perl' is not required for jabberd functionality, the entire
>    script should be rewritten to remove this dep.

It is true that I could replace all the perl stuff with sed and will do
it but how would you circumvent that the password can be seen with ps
during jabbed installation?

		Adrian